Scanning shared hosting servers to catch abusers,
unwanted files, phishers, spammers and script kiddies with
clamav
I'm responsible for some GNU/Linux servers which are shared hosting
and therefore contain plenty of user accounts.
Every now and then our company servers gets suspended because of a
Phishing websites, Spammers script kiddies and all the kind of
abusers one can think of.
To mitigate the impact of the server existing unwanted users
activities, I decided to use the
Clamav Antivirus - open
source virus scanner to look up for potentially dangerous files,
stored Viruses, Spammer mailer scripts, kernel exploits etc.
The Hosting servers are running latest CentOS 5.5. Linux and
fortunately CentOS is equipped with an RPM pre-packaged latest
Clamav release which of the time of writting is ver.
(0.97.2).
Installing Clamav on CentOS is a piece of cake and it comes to
issuing:
[root@centos:/root]# yum -y install clamav
...
After the install is completed, I've used
freshclam to
update clamav virus definitions
[root@centos:/root]# freshclam
ClamAV update process started at Fri Aug 12 13:19:32 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53,
builder: sven)
WARNING: getfile: daily-13357.cdiff not found on remote server (IP:
81.91.100.173)
WARNING: getpatch: Can't download daily-13357.cdiff from
db.gb.clamav.net
WARNING: getfile: daily-13357.cdiff not found on remote server (IP:
163.1.3.8)
WARNING: getpatch: Can't download daily-13357.cdiff from
db.gb.clamav.net
WARNING: getfile: daily-13357.cdiff not found on remote server (IP:
193.1.193.64)
WARNING: getpatch: Can't download daily-13357.cdiff from
db.gb.clamav.net
WARNING: Incremental update failed, trying to download
daily.cvd
Downloading daily.cvd [100%]
daily.cvd updated (version: 13431, sigs: 173670, f-level: 60,
builder: arnaud)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 144, sigs: 41, f-level: 60, builder:
edwin)
Database updated (1019925 signatures) from db.gb.clamav.net (IP:
217.135.32.99)
In my case the shared hosting hosted websites and FTP user files
are stored in
/home directory thus I further used
clamscan in the following way to check report and log into
file the scan results for our company hosted user content.
[root@centos:/root]# screen clamscan -r -i
--heuristic-scan-precedence=yes --phishing-scan-urls=yes
--phishing-cloak=yes --phishing-ssl=yes --scan-archive=no /home/ -l
/var/log/clamscan.log
home/user1/mail/new/1313103706.H805502P12513.hosting,S=14295:
Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/user1/mail/new/1313111001.H714629P29084.hosting,S=14260:
Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/user1/mail/new/1305115464.H192447P14802.hosting,S=22663:
Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/user1/mail/new/1311076363.H967421P17372.hosting,S=13114:
Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/user1/mail/domain.com/infos/cur/1311181523.H572764P6859.hosting,S=8283:2,S:
Heuristics.Phishing.Email.SSL-Spoof FOUND
/home/user1/mail/domain.com/infos/cur/1311229820.H434026P2905.hosting,S=6935:2,S:
Heuristics.Phishing.Email.SSL-Spoof FOUND
I prefer running the clamscan in a
screen session, because
it's handier, if for example my ssh connection dies the screen
session will preserve the clamscan cmd execution and I can attach
later on to see how scan went.
clamscan of course is slower as it does not use
Clamav antivirus daemon
clamd , however I prefer
running it without running the daemon, as having a permanently
running
clamd on the servers sometimes creates problems or
hangs and it's not really worthy to have it running since I'm
intending to do a clamscan no more than once per month to see some
potential users which might need to be suspended.
Also later on, after it finishes all possible problems are logged
to
/var/log/clamscan.log , so I can read the file report any
time.
A good idea might also be to implement the above
clamscan to
be conducted, once per month via a cron job, though I'm still in
doubt if it's better to run it manually once per month to search
for the malicious users content or it's better to run it via cron
schedule.
One possible pitfall with automating the above clamscan
/home virus check up, might be the increased load it puts to
the system. In some cases the Webserver and SQL server might be
under a heavy load at the exactly same time the clamscan cron work
is running, this might possible create severe issues for users
websites, if it's not monitored.
Thus I would probably go with running above
clamscan
manually each month and monitor the server performance.
However for people, who have "iron" system hardware and
clamscan file scan is less likely to cause any issues,
probably a cronjob would be fine. Here is sample cron job to run
clamscan:
10 05 * * * clamscan -r -i --heuristic-scan-precedence=yes
--phishing-scan-urls=yes --phishing-cloak=yes --phishing-ssl=yes
--scan-archive=no /home/ -l /var/log/clamscan.log 2>&1
>/dev/null
I'm interested to hear if somebody already is using a clamscan to
run on cron without issues, once I'm sure that running it on cron
would not lead to server down-times, i'll implement it via cron
job.
Anyone having experience with running clamscan directory scan
through crond? :)